GOOGLE IT SUPPORT PROFESSIONAL CERTIFICATE

Course 5 – IT Security: Defense Against the Digital Dark Arts

Week 3: AAA Security (Not Roadside Assistance)

Coursera Study Guide

TABLE OF CONTENT

In the third week of this course, we’ll learn about the “three A’s” in cybersecurity. No matter what type of tech role you’re in, it’s important to understand how authentication, authorization, and accounting work within an organization. By the end of this module, you’ll be able to choose the most appropriate method of authentication, authorization, and level of access granted for users in an organization.

Learning Objectives

  • Identify and describe the most common authentication services.
  • Understand and be able to choose the most appropriate method of authentication or authorization.
  • Be able to grant the appropriate level of access for the users of an organization.

PRACTICE QUIZ: AUTHENTICATION

1. How is authentication different from authorization?

  • Authentication is identifying a resource; authorization is verifying access to an identity.
  • Authentication is verifying access to a resource; authorization is verifying an identity.
  • Authentication is verifying an identity; authorization is verifying access to a resource. (CORRECT)
  • They’re the same thing.

Right on! Authentication is proving that an entity is who they claim to be, while authorization is determining whether or not that entity is permitted to access resources.

2. What are some characteristics of a strong password? Check all that apply,

  • Contains dictionary words
  • Includes numbers and special characters (CORRECT)
  • Is at least eight characters long (CORRECT)
  • Is used across accounts and systems

You got it! A strong password should contain a mix of character types and cases, and should be relatively long — at least eight characters, but preferably more.

3. In a multi-factor authentication scheme, a password can be thought of as:

  • something you are.
  • something you know. (CORRECT)
  • something you have.
  • something you use.

Wohoo! Since a password is something you memorize, it’s something you know when talking about multi-factor authentication schemes.

4. What are some drawbacks to using biometrics for authentication? Check all that apply.

  • There are potential privacy concerns. (CORRECT)
  • Biometric authentication is much slower than alternatives.
  • Biometric authentication is difficult or impossible to change if compromised. (CORRECT)
  • Biometrics are easy to share.

That’s exactly right! If a biometric characteristic, like your fingerprints, is compromised, your option for changing your “password” is to use a different finger. This makes “password” changes limited. Other biometrics, like iris scans, can’t be changed if compromised. If biometric authentication material isn’t handled securely, then identifying information about the individual can leak or be stolen.

5. In what way are U2F tokens more secure than OTP generators?

  • They can’t be cloned.
  • They’re password-protected.
  • They’re cheaper.
  • They’re resistant to phishing attacks. (CORRECT)

Great job! With one-time-password generators, the one-time password along with the username and password can be stolen through phishing. On the flip side, U2F authentication is impossible to phish, given the public key cryptography design of the authentication protocol.

6. What elements of a certificate are inspected when a certificate is verified? Check all that apply.

  • Trust of the signatory CA (CORRECT)
  • Certificate key size
  • “Not valid after” date (CORRECT)
  • “Not valid before” date (CORRECT)

Yep! To verify a certificate, the period of validity must be checked, along with the signature of the signing certificate authority, to ensure that it’s a trusted one.

7. What is a CRL?

  • Caramel Raspberry Lemon
  • Certificate Recording Language
  • Certificate Revocation List (CORRECT)
  • Certified Recursive Listener

Good job! CRL stands for “Certificate Revocation List.” It’s a list published by a CA, which contains certificates issued by the CA that are explicitly revoked, or made invalid.

8. What are the names of similar entities that a Directory server organizes entities into?

  • Organizational Units (CORRECT)
  • Clusters
  • Groups
  • Trees

Awesome! Directory servers have organizational units, or OUs, that are used to group similar entities.

9. True or false: The Network Access Server handles the actual authentication in a RADIUS scheme.

  • True
  • False (CORRECT)

Nice work! The Network Access Server only relays the authentication messages between the RADIUS server and the client; it doesn’t make an authentication evaluation itself.

10. True or false: Clients authenticate directly against the RADIUS server.

  • True
  • False (CORRECT)

Correct! Clients don’t actually interact directly with the RADIUS server; the authentication is relayed via the Network Access Server.

11. What does a Kerberos authentication server issue to a client that successfully authenticates?

  • A ticket-granting ticket (CORRECT)
  • An encryption key
  • A digital certificate
  • A master password

Exactly! Once authenticated, a Kerberos client receives a ticket-granting ticket from the authentication server. This TGT can then be presented to the ticket-granting service in order to be granted access to a resource.

12. What advantages does single sign-on offer? Check all that apply.

  • It enforces multifactor authentication.
  • It reduces the total number of credentials, (CORRECT)
  • It provides encrypted authentication.
  • It reduces time spent authenticating. (CORRECT)

You nailed it! SSO allows one set of credentials to be used to access various services across sites. This reduces the total number of credentials that might be otherwise needed. SSO authentication also issues an authentication token after a user authenticates using username and password. This token then automatically authenticates the user until the token expires. So, users don’t need to reauthenticate multiple times throughout a work day.

13. What does OpenID provide?

  • Digital signatures
  • Cryptographic hashing
  • Certificate signing
  • Authentication delegation (CORRECT)

Yep! OpenID allows authentication to be delegated to a third-party authentication service.

PRACTICE QUIZ: AUTHORIZATION AND ACCOUNTING

1. What role does authorization play?

  • It determines whether or not an entity has access to a resource. (CORRECT)
  • It verifies an entity’s identity.
  • It verifies passwords.
  • It provides strong encryption.

Awesome! Authorization has to do with what resource a user or account is permitted or not permitted to access.

2. What does OAuth provide?

  • Confidentiality
  • Integrity
  • Access delegation (CORRECT)
  • Secure communications

Wohoo! OAuth is an open authorization protocol that allows account access to be delegated to third parties, without disclosing account credentials directly.

3. How is auditing related to accounting?

  • They’re not related.
  • They’re the same thing.
  • Accounting is reviewing records, while auditing is recording access and usage.
  • Accounting is recording access and usage, while auditing is reviewing these records. (CORRECT)

That’s exactly right! Accounting involves recording resource and network access and usage. Auditing is reviewing these usage records by looking for any anomalies.

QUIZ:  AAA SECURITY (NOT ROADSIDE ASSISTANCE)

1. Authentication is concerned with determining _______.

  • Identity (CORRECT)
  • Validity
  • Eligibility
  • Access

Wohoo! Authentication is concerned with confirming the identities of individuals.

2. Which of the following are valid multi-factor authentication factors? Check all that apply.

  • Something you know (CORRECT)
  • Something you did
  • Something you have (CORRECT)
  • Something you are (CORRECT)

Nice job! The three factors of authentication that can be combined for multi-factor authentication are: (1) something you know, like a password; (2) something you have, like a physical token; and (3) something you are, which would be a biometric factor.

3. Security Keys are more ideal than OTP generators because they’re resistant to _______ attacks.

  • Password
  • Brute force
  • DDoS
  • Phishing (CORRECT)

Yep! Where the OTP code can be phished, security keys rely on a challenge response system which prevents phishing attacks.

4. In the three As of security, what is the process of proving who you claim to be?

  • Authorization
  • Authentication (CORRECT)
  • Accounting
  • Authored

Great work! Authentication is one of the three As. It is the process of proving who you claim to be.

5. Which of these passwords is the strongest for authenticating to a system?

  • P@55w0rd!
  • P@w04d!$$L0N6 (CORRECT)
  • P@ssword!
  • Password!

Right on! This is a strong password because of length, numbers, upper and lowercase letters, and special characters.

6. An organization needs to setup a(n) _____ infrastructure to issue and sign client certificates.

  • ID
  • CRL
  • CA (CORRECT)
  • LDAP

You nailed it! An organization needs to setup a Certificate Authority (CA) infrastructure to issue and sign client certificates.

7. A systems administrator is designing a directory architecture to support Linux servers using Lightweight Directory Access Protocol (LDAP). The directory needs to be able to make changes to directory objects securely. Which of these common operations supports these requirements?

  • Bind, modify.
  • Bind, add.
  • Search, modify.
  • StartTLS, delete. (CORRECT)

You got it! StartTLS permits a client to communicate securely using LDAPv3 over TLS. The delete operation can make a change to a directory object.

8. Kerberos enforces strict _____ requirements, otherwise authentication will fail.

  • Time (CORRECT)
  • AES
  • NTP
  • Strong password

Great work! Kerberos enforces strict time requirements, requiring the client and server clocks to be relatively closely synchronized, otherwise authentication will fail.

9. Which of these are examples of an access control system? Check all that apply.

  • OpenID
  • OAuth (CORRECT)
  • RADIUS (CORRECT)
  • TACACS+ (CORRECT)

Woohoo! Open Authorization (Oauth) is an example of an authorization system.

Woohoo! Remote Authentication Dial-In User Service (RADIUS) is a full AAA system, so it does handle authorization.

Woohoo! Terminal Access Controller Access Control System Plus (TACACS+) is a full AAA system, so it does handle authorization.

10. A company is utilizing Google Business applications for the marketing department. These applications should be able to temporarily access a user’s email account to send links for review. Why should the company use Open Authorization (OAuth) in this situation?

  • Utilize a Key Distribution Center server
  • Compatibility with third party apps (CORRECT)
  • Gain access through a wireless access point
  • Administer multiple network devices

Well done! Open Authorization (OAuth) grants third-party websites and applications access to users’ information, like email, without sharing account credentials.

11. What does a Terminal Access Controller Access Control System Plus (TACACS+) keep track of? Check all that apply.

  • Systems users authenticated to (CORRECT)
  • Commands that were ran (CORRECT)
  • Track user authentication (CORRECT)
  • Bandwidth and resource usage

Woohoo! TACACS+ tracks the devices or systems that a user authenticated to.

Woohoo! TACACS+ tracks commands that were ran by a user.

Woohoo! TACACS+ tracks user authentication.

12. The two types of one-time-password tokens are ______ and ______. Check all that apply.

  • Counter-based (CORRECT)
  • Identity-based
  • Password-based
  • Time-based (CORRECT)

You got it! An OTP generator token can be counter-based, where a counter is incremented on the token and the server upon successful authentication.

You got it! An OTP generator token can be time-based, staying in sync with the server using time.

13. Security Keys utilize a secure challenge-and-response authentication system, which is based on ________.

  • Symmetric encryption
  • Shared secrets
  • Public key cryptography (CORRECT)
  • Steganography

Awesome job! Security keys use public key cryptography to perform a secure challenge response for authentication.

14. In a Certificate Authority (CA) infrastructure, why is a client certificate used?

  • To authenticate the server
  • To authenticate the client (CORRECT)
  • To authenticate the subordinate CA
  • To authenticate the CA

Right on! A client certificate is used to authenticate the client with other computers.

15. Which of these are examples of a Single Sign-On (SSO) service? Check all that apply.

  • OpenID (CORRECT)
  • Kerberos (CORRECT)
  • Tokens
  • Relying Parties

You got it! OpenID is an example of a decentralized Single Sign-On (SSO) service.

You got it! Kerberos is an example of a centralized Single Sign-On (SSO) service.

16. An Open Authorization (OAuth) access token would have a _____ that tells what the third party app has access to.

  • template
  • scope (CORRECT)
  • request
  • e-mail

Right on! An Open Authorization (OAuth) access token would have a scope that tells what the third party app has access to.

17. Authorization is concerned with determining ______ to resources.

  • Validity
  • Eligibility
  • Access (CORRECT)
  • Identity

Correct! Authorization deals with determining access to resources.

18. Kerberos uses _____ as authentication tokens.

  • Passwords
  • Certificates
  • Cryptographic keys
  • Tickets (CORRECT)

Great work! Kerberos issues tickets, which represent authentication and authorization tokens.

19. What is used to request access to services in the Kerberos process?

  • Client-to-Server ticket
  • Ticket Granting Ticket (CORRECT)
  • Client ID
  • TGS session key

Woohoo! A Ticket Granting Ticket (TGT) is used to request access to services in the Kerberos process.

20. In the three As of security, which part pertains to describing what the user account does or doesn’t have access to?

  • Accounting
  • Authentication
  • Authorization (CORRECT)
  • Accessibility

You nailed it! Authorization pertains to describing what the user account does or doesn’t have access to.

21. Access control entries can be created for what types of file system objects? Check all that apply.

  • Programs (CORRECT)
  • Files (CORRECT)
  • Folders (CORRECT)
  • APIs

Great work! Access control entries can define permissions controlling read, write, or execute functionalities on folders.

22. Your bank set up multifactor authentication to access your account online. You know your password. What other factor combined with your password qualifies for multifactor authentication? Check all that apply.

  • Passphrase
  • PIN
  • Bank card (CORRECT)
  • Fingerprint (CORRECT)

Well done! A bank card is something you have. A multifactor system will incorporate at least two factors.

23. Multiple client switches and routers have been set up at a small military base. The network team decided to implement Terminal Access Controller Access-Control System Plus (TACACS+), along with Kerberos, and an external Lightweight Directory Access Protocol (LDAP) service. What is the primary reason TACACS+ was chosen for this?

  • NIPRNet
  • Single Sign-On
  • Network access
  • Device administration (CORRECT)

Right on! TACACS+ is primarily used for device administration authentication, authorization, and accounting (AAA).

24. A(n) _____ defines permissions or authorizations for objects.

  • Extensible Authentication Protocol
  • Access Control Entries
  • Network Access Server
  • Access Control List (CORRECT)

You nailed it! An Access Control List (ACL) defines permissions or authorizations for objects.

25. A network admin deployed a Terminal Access Controller Access Control System Plus (TACACS+) system so other admins can properly manage multiple switches and routers on the local area network (LAN). The system will keep track and log admin access to each device and the changes made. This “logging” satisfies which part of the three As of security?

  • Authentication
  • Accounting (CORRECT)
  • Authorization
  • Administration

Well done! Keeping track of access and changes, through “logging”, satisfies the “Accounting” part of the three As of security.

26. Authz is short for ________.

  • Authoritarian
  • Authorization (CORRECT)
  • Authored
  • Authentication

Correct: You got it! Authorization is sometimes referred to as “authz” for short.

27. Which of these are examples of “something you have” for multifactor authentication? Check all that apply.

  • RSA SecureID token (CORRECT)
  • Password
  • PING
  • OTP (CORRECT)

Correct: Awesome! RSA SecureID token is an example of an OTP. It is a small battery-powered device with an LCD display.

Correct: Awesome! OTP or One-Time-Password, is a physical token that is commonly used to generate a short-lived number.

28. A Lightweight Directory Access Protocol (LDAP) uses a _____ structure to hold directory objects.

  • Distinguished Name
  • Organizational Unit
  • Data Information Tree (CORRECT)
  • Bind

You nailed it! An Access Control List (ACL) defines permissions or authorizations for objects.

29. Authn is short for ________.

  • Authentication (CORRECT)
  • Authoritarian
  • Authorization
  • Authored

Correct: Yep! Authentication is sometimes referred to as “authn” for short.

30. In addition to the client being authenticated by the server, certificate authentication also provides ______.

  • Server authentication (CORRECT)
  • Integrity
  • Authorization
  • Malware protection

Correct: Exactly! The client will validate the server’s certificate, thereby providing server authentication and client authentication.